Event Suppression

Chris_Crawford · December 3, 2012, 11:03pm

I’d like to tell bro to tell me about a certain event, but then suppress itself for a while.

I am running bro version 2.1.

I think I’m on the right track, but I’m not getting the results I expect.

Here’s my script:

I expect that after seeing a certain DNS query in my log, there should be, at a minimum, a 10 second delay until the next entry.

However, when I visit a few known domains that cause a DNS SERVFAIL, there’s no evidence that there was any suppression:

2012-12-03T17:50:17-0500 VwaSrYrTxi 10.10.10.1 [foo.org](http://foo.org) SERVFAIL 2012-12-03T17:50:17-0500 UqKgxpLZXdl 10.10.10.1 [foo.org](http://foo.org) SERVFAIL 2012-12-03T17:50:38-0500 RYIqIhSukA3 10.10.10.1 [foo.org](http://foo.org) SERVFAIL 2012-12-03T17:50:35-0500 mUI17wg5yTc 10.10.10.1 [foo.org](http://foo.org) SERVFAIL 2012-12-03T17:50:38-0500 KemCuIc90gg 10.10.10.1 [foo.org](http://foo.org) SERVFAIL 2012-12-03T17:50:29-0500 8lhNeEBFhpk 10.10.10.1 [bar.com](http://bar.com) SERVFAIL 2012-12-03T17:50:30-0500 OIaKdzZRoVg 10.10.10.1 [bar.com](http://bar.com) SERVFAIL 2012-12-03T17:50:34-0500 Z7dzjrZq2hg 10.10.10.1 [foo.org](http://foo.org) SERVFAIL 2012-12-03T17:50:43-0500 8xWwzjhwtJ3 10.10.10.1 [bar.com](http://bar.com) SERVFAIL 2012-12-03T17:50:44-0500 0wgsg6dNt75 10.10.10.1 [bar.com](http://bar.com) SERVFAIL 2012-12-03T17:50:45-0500 MLQiHZEsHFg 10.10.10.1 [bar.com](http://bar.com) SERVFAIL 2012-12-03T17:50:47-0500 ebViJIKgTsa 10.10.10.1 [bar.com](http://bar.com) SERVFAIL 2012-12-03T17:50:55-0500 6rmI6q4oc5c 10.10.10.1 [bar.com](http://bar.com) SERVFAIL 2012-12-03T17:50:56-0500 rJJziyz3Snk 10.10.10.1 [bar.com](http://bar.com) SERVFAIL 2012-12-03T17:51:07-0500 OVppLHtXjPf 10.10.10.1 [bar.com](http://bar.com) SERVFAIL 2012-12-03T17:51:08-0500 2B20RG46gtl 10.10.10.1 [bar.com](http://bar.com) SERVFAIL 2012-12-03T17:51:19-0500 1OSfSKiNIL2 10.10.10.1 [bar.com](http://bar.com) SERVFAIL 2012-12-03T17:51:20-0500 LK7pwe5inc1 10.10.10.1 [bar.com](http://bar.com) SERVFAIL

Any tips on what I’m doing wrong?

-Chris

Azoff_Justin · December 3, 2012, 11:29pm

I'd like to tell bro to tell me about a certain event, but then suppress itself
for a while.

I am running bro version 2.1.

I think I'm on the right track, but I'm not getting the results I expect.

Here's my script:

...

NOTICE([$note=DNS_SERV_FAIL, $msg=fmt("Check
out %s. It failed to resolve%s.", rec$id$orig_h, rec$query), $suppress_for=
10sec, $identifier=cat(rec$query)]);

...

I expect that after seeing a certain DNS query in my log, there should be, at a
minimum, a 10 second delay until the next entry.

the suppress_for there only applies to NOTICE. If you look at your
notice.log you'll see the behavior you expect.

If you want the regular log to have the same behavior you can implement
the supression yourself..

You just need to create something like

seen_domains: set[string] &create_expire=10sec &synchronized;

then use something like this in your 'pred'

    if(rec$query !in seen_domains) {
        add seen_domains[rec$query];
        return T;
    } else {
        return F;
    }

or maybe cleaner as

if(rec$query in seen_domains)
return F;

add seen_domains[rec$query];
return T;

system · May 6, 2022, 3:40pm